Module Name: src
Committed By: riastradh
Date: Sat May 14 15:28:59 UTC 2022
Modified Files:
src/sys/dev/usb: uvideoreg.h
Log Message:
uvideo(4): Fix lengths of various frame descriptors.
This driver doesn't use the frame interval members, which are either
fixed (if continuous) or flexible (if discrete) and so can't be
encoded in C types correctly. If we did use them, it would be
necessary to use pointer arithmetic on char pointers in the enclosing
descriptor buffer. But we don't, so this is simpler, and fixes the
sizeof checks to avoid running off the end of invalid descriptors.
Should fix failure to parse legitimate descriptors (without
regressing to choking on malicious ones):
-uvideo: found format (index 1) type 9 size 1280x720 size 1843200 stride 2560
interval 333333
- ^ picking this one
-uvideo: found format (index 2) type 9 size 640x480 size 614400 stride 1280
interval 333333
+uvideo: truncated CS subtype-0x7 descriptor, length 30 < 38uvideo:
unimplemented VS CS descriptor len=30 type=0x24 subtype=0x07
+uvideo: unimplemented VS CS descriptor len=30 type=0x24 subtype=0x07
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/dev/usb/uvideoreg.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/uvideoreg.h
diff -u src/sys/dev/usb/uvideoreg.h:1.6 src/sys/dev/usb/uvideoreg.h:1.7
--- src/sys/dev/usb/uvideoreg.h:1.6 Sun Nov 14 08:32:07 2021
+++ src/sys/dev/usb/uvideoreg.h Sat May 14 15:28:59 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: uvideoreg.h,v 1.6 2021/11/14 08:32:07 andvar Exp $ */
+/* $NetBSD: uvideoreg.h,v 1.7 2022/05/14 15:28:59 riastradh Exp $ */
/*
* Copyright (c) 2008 Patrick Mahoney
@@ -435,9 +435,8 @@ typedef struct {
uDWord dwMaxVideoFrameBufferSize;
uDWord dwDefaultFrameInterval;
uByte bFrameIntervalType;
- uvideo_frame_interval_t uFrameInterval;
} UPACKED uvideo_vs_frame_uncompressed_descriptor_t;
-
+CTASSERT(sizeof(uvideo_vs_frame_uncompressed_descriptor_t) == 26);
/* Frame based Format and Frame descriptors. This is for generic
* frame based payloads not covered by other types (e.g, uncompressed
@@ -471,9 +470,8 @@ typedef struct {
uDWord dwDefaultFrameInterval;
uByte bFrameIntervalType;
uDWord dwBytesPerLine;
- uvideo_frame_interval_t uFrameInterval;
} UPACKED uvideo_frame_frame_based_descriptor_t;
-
+CTASSERT(sizeof(uvideo_frame_frame_based_descriptor_t) == 26);
/* MJPEG format and frame descriptors */
@@ -506,9 +504,8 @@ typedef struct {
uDWord dwMaxVideoFrameBufferSize;
uDWord dwDefaultFrameInterval;
uByte bFrameIntervalType;
- uvideo_frame_interval_t uFrameInterval;
} UPACKED uvideo_vs_frame_mjpeg_descriptor_t;
-
+CTASSERT(sizeof(uvideo_vs_frame_mjpeg_descriptor_t) == 26);
typedef struct {
uByte bLength;
